EBay Under Fire After Cross Site Scripting Attack

Discussion in 'malware problems & news' started by ronjor, Sep 18, 2014.

  1. ronjor

    ronjor Global Moderator

    Jul 21, 2003
  2. hawki

    hawki Registered Member

    Dec 17, 2008
    DC Metro Area
    How More Irresponsible Could eBay Beo_Oo_Oo_Oo_O?

    "eBay under pressure as hacks continue

    Leading security researchers have called on eBay to take immediate action over dangerous listings, as the problem continues to put users at risk.

    The BBC has now identified more than 100 listings that had been exploited to trick customers into handing over personal data.
    Over the weekend, readers got in touch with the BBC, saying they had attempted to warn eBay about the problem.
    The company said it would 'continue to review all site features and content'.........

    The problem has affected the site since at least February, the BBC has confirmed - although some experts say it has been an issue for more than a year........

    In a statement, eBay said: "Many of our sellers use active content like Javascript and Flash to make their eBay listings perform better.

    "We have no current plans to remove active content from eBay.
    However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security.".........

    The stance has had security professionals queuing up to criticise the site's security practice.

    'It's not OK for eBay to have cross-site scripting vulnerabilities on its website,' said Mikko Hypponen, from security firm F-Secure.

    'If they can't make it work without the risk of exposing users to cross-site scripting, they shouldn't allow it.'

    Security researcher Brian Honan called for eBay to disable the active content until it could reassure customers.

    'Obviously having Javascript and Flash and all that wonderful stuff is great for the seller,' he told the BBC.

    'But it exposes eBay and its customers to security risks. Until eBay has the ability to automatically identify malicious links, it should disable Javascript until they have some way of better controlling the risk.

    'The needs of the many outweigh the needs of the few.'

    Dr Steven Murdoch, from University College London's Information Security Research Group, added: 'Sellers do use active content, but I expect a very large proportion of needs could be fulfilled with some eBay-provided Javascript which has been carefully checked for safety by eBay.'.............

    Russell Dearlove, from York, told the BBC his account had been 'acting strangely'. He was temporarily locked out of his account, and listings had been posted by an unknown person.

    'I kept getting messages flashing up on my email saying, 'Congratulations you've sold your iPad'. I didn't have an iPad to sell!

    'I emailed eBay to say there's something not quite right here. I got no response but they have sent me a statement saying I owed about £35.

    'They basically sent me a statement saying, 'This is what you owe for your selling fees.'............

    Since the BBC posted its first story on the issue last week, more than a dozen users have come forward expressing concern about the site's security and process for dealing with customer complaints.

    Many provided chat transcripts with eBay support staff. In one, a user was told to 'clear the cache and the cookies' when reporting a malicious link. It later said the issue was being escalated to support staff."

    Full Story Here: http://www.bbc.com/news/technology-29310042